Is there any point using PKCE if a client id/secret is also used?

In OIDC authorization code flow, a client secret is sent via the back-channel to the authorization server's token endpoint.

Since a bad actor can't know the client secret, isn't that enough security?

How does PKCE help in this scenario?

Solution

PKCE is all about verifying that it is the same client using the authentication code that also starts the authentication request flow.

The client secret is all about authenticating the client to the authorization server. Also, the secret was introduced before PKCE, and not every authentication flow, client, or server supports PKCE.

So, in some cases, they might seem to overlap, but at the same time not. They have different purposes.

OAuth 2.0 was released in 2012 and PKCE was published in 2015.

Remix run: Authentication succeeds on validation failures
WMS service basic authentication
How to manage user claims?
How to get the popup menu to select user certificate in Tomcat 10 server?
Enable password and unix_socket authentication for MariaDB root user?
How to consume from an eventsource API requiring auth headers?
How to display an Error message when logging in fails in Reactjs
Notify navbar of authenticated status when logged in (Angular)
Proper way to store a token retrieved client-side in nextjs 13 "App Router" version?
Signout and login not working in auth.js in Next14 with middleware and server actions
Laravel: Auth::user()->id trying to get a property of a non-object
404 page not found when running firebase deploy
.NET 8 Blazor Server - role authorization with Windows Authentication
Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
Symfony2: How to change Entity Manager just before doing login_check
JWT signature verification failing
SMAppService register() - How to detect launch at startup/login vs regular launch?
AppwriteException: User (role: guest) missing scope (account), not able to get account after creating a session
authMiddleware doesn't exist after installing clerk
Stop request in CookieAuthenticationEvents.OnValidatePrincipal after response body has been written to
Blazor Hosted WebAssembly with Keycloak and Basic Authentication Issue
How to change the app name for Firebase authentication (what the user sees)
How do I restrict Apache/SVN access to specific users (LDAP/file-based authentication)?
Unexpected authorization behaviour in a Blazor Web App with .NET 8
MongoDB: Understand createUser and db admin
Update react context without refreshing page on state update
What is the standard/modern way to use CAC/PIV card authentication in Java/Tomcat web applications?
Keycloak retrieve custom attributes to KeycloakPrincipal
Secure Google Cloud Functions http trigger with auth
Cannot authenticate in fresh installed Laravel 11 with MySQL/MariaDB